Google Workspace Out Of Domain Email Forwarding

Original Source: [Sigma source]

Title: Google Workspace Out Of Domain Email Forwarding
Status: experimental
Description:Detects automatic email forwarding to external domains in Google Workspace, which may indicate data leakage or misuse.
References:
-https://developers.google.com/workspace/admin/reports/v1/appendix/activity/login#email_forwarding_out_of_domain
Author: Tom kluter
Date: 2026-04-28
modified:None
Tags:

-'attack.t1114.003'
-'attack.collection'

Logsource:

product: gcp
service: google_workspace.login

Detection:
selection:
protoPayload.serviceName: 'login.googleapis.com'
protoPayload.metadata.event.eventName: 'email_forwarding_out_of_domain'
condition:selection
Falsepositives:
-Legitimate forwarding
Level: medium

Sign Up to Personalize and Manage Your Detection

Google Workspace Out Of Domain Email Forwarding